Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.

Published byJosie Blair Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠."— Presentation transcript:

1 1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠

2 2 Outline Introduction –Environment Definition –Authenticate Analysis Related Work –First paper –Important paper between 2006 ~ 2009 –Recently paper 2009 –Security Analysis Comments

3 3 Environment Definition Chien ‘ s four class in RFID –Full-fledged Symmetric encryption Public key algorithms –Simple Random number generator One-way hashing function –Lightweight Random number generator Cyclic Redundancy Code checksum –Ultralightweigh XOR, AND, OR, Rot

4 4 Authenticate Analysis Tag Identification Mutual Authentication Index-Pseudonym Updating Key Updating –Mutual authentication –Data integrity –Tag anonymity –Tracking –Data confidentiality –Forward security –Replay attack –Man-in-the-middle attack –de-synchronization attack

5 5 First paper (M 2 AP scheme) [2006] M 2 AP A Minimalist Mutual Authentication Protocol for Low-cost RFID Tags, In: LNCS, vol. 4159. Springer. pp. 912-923,2006. ReaderTags 1. hello 2. IDS ID, IDS, K1, K2, K3 3. A ∥ B ∥ C 4. D ∥ E A=IDS ♁ K1 ♁ n1 B=(IDS ^ K2)ˇn1 C=IDS+K3+n2 D=(IDSˇK4) ^ n2 E=(IDS+ID) ♁ n1

6 6 Second paper (LMAP scheme) [2006]LMAP A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags, in Proceedings of the 2nd Workshop on RFID Security, 2006. ReaderTags 1. hello 2. IDS (ID, IDS, K1, K2, K3) next (ID, IDS, K1, K2, K3) old 3. A ∥ B ∥ C 4. D (ID, IDS, K1, K2, K3) next (ID, IDS, K1, K2, K3) old A=IDS ♁ K1 ♁ n1 B=(IDSˇK2)+n1 C=IDS+K3+n2 D=(IDS+ID) ♁ n1 ♁ n2 M 2 AP A=IDS ♁ K1 ♁ n1 B=(IDS ^ K2)ˇn1 C=IDS+K3+n2 D=(IDSˇK4) ^ n2 E=(IDS+ID) ♁ n1

7 7 Security analysis of LMAP and M 2 AP (Li and Wang ’ s Scheme) [2007] Security Analysis of Two Ultra lightweight RFID Authentication Protocol, International Federation for Information Processing, Vol. 232, pp. 109-120, 2007. Vulnerabilities of LMAP and M 2 AP –de-synchronization Changing message C –Full-disclosure Reader Tags 1. hello 2. IDS 3. A ∥ B ∥ C’ 4. D’ A=IDS ♁ K1 ♁ n1 B=(IDS V K2)+n1 C=IDS+K3+n2’ D=(IDS+ID) ♁ n1 ♁ n2’ C=(IDS+K3)+n2 D=(IDS+ID) ♁ n1 ♁ n2 C-IDS-K3=(IDS+ID) ♁ n1 ♁ D C new =(IDS+K3)+n2 new D new =(IDS+ID) ♁ n1 ♁ n2 new C new -IDS-K3=(IDS+ID) ♁ n1 ♁ D new C new -C=(IDS+ID) ♁ D new -(IDS+ID) ♁ n1 ♁ D (1) (2) (1) - (2) x ♁ a = x ♁ b + c mod 2 96 96bits/4=24 (2 24 — 1) times

8 8 Countermeasures of Li and Wang ’ s Scheme (cont.) Countermeasures –Sending `D (to solve full-disclosure attack) The tag always send a message to fool the attacker. If the reader is authenticated, it sends D=(IDS+ID) ♁ n1 ♁ n2 ; otherwise, it sends D ’ =(IDS+ID) ♁ n2 –Storing status (to solve incomplete protocol) The reader and the tag keep the status and the random number of the protocol A status bit S=0 → the protocol is completed (synchronized) A status bit S=1 → the protocol is uncompleted (desynchronized) After that can updating n1 and n2

9 9 Security analysis of Li and Wang ’ s scheme [2007]Security of ultra-lightweight RFID authentication protocols and its improvements, ACM SIGOPS Operating Systems Review, Vol.41 Issue 4, 2007. Vulnerabilities of Li Wang ’ s attacks –Sending `D (to solve full-disclosure attack) modify phase 3: successfully authenticate response D=(IDS+ID) ♁ n1 ♁ n2 next, send A ’ ∥ B ∥ C authentication will fail response D ’ =(IDS+ID) ♁ n2 D ’ ♁ D get n1 A ∥ B ∥ C D=(IDS+ID) ♁ n 1 ♁ n2 A’ ∥ B ∥ C D’=(IDS+ID) ♁ n2

10 10 Security analysis of Li and Wang ’ s attacks (cont.) Countermeasures –Sending `D (to solve full-disclosure attack) The tag extracted value (n1, n1 ’, n2) from A ∥ B ∥ C Outputs the value shift(n1,n1 ’ ) ♁ shift(n1 ’,n2) is random value D=(IDS+ID) ♁ shift(n1,n1 ’ ) ♁ shift(n1 ’,n2) –Full-disclosure modify phase 5: (1) set n1 new =0. (2) set C 1 new =C new +1 n2[1]=0, n2=000 … 00, n2 ♁ (n2+1)=000 … 01 n2[1]=1, n2=00 … 01 … 1, n2 ♁ (n2+1)=000 … 01 … 1 The attacker can determine iє[0,95], i+1 < (2 24 -1) A=IDS ♁ K1 ♁ n1 B=(IDSˇK2)+n1 C=IDS+K3+n2 D=(IDS+ID) ♁ n1 ♁ n2 A new =IDS ♁ K1 B new =IDSˇK2 D new =(IDS ♁ ID) ♁ n2 D 1 new =(IDS ♁ ID) ♁ n2+1 D new ♁ D 1 new = (n2+1) ♁ n2

11 11 Important paper [2007] SASI A New Ultra-lightweight RFID Authentication protocol providing strong authentication and strong integrity, IEEE Transactions on Dependable and Secure Computing 4(4), pp. 337-340, October, 2007. ReaderTags 1. hello 2. IDS ID, IDS, K1, K2, K3 3. A ∥ B ∥ C 4. D

12 12 Cryptanalysis of SASI [2008]Cryptanalysis of a New Ultralightweight RFID Authentication Protocol-SASI, IEEE Transactions on Dependable and Secure Computing, Vol. 6, No. 4, pp.316- 320, 2008. 8bits 固定值 ”E0” 8bits IC 廠商的編碼 (MSB) 48bits 廠商所定的獨一序號 (LSB)

13 13 Security analysis of SASI (cont.) [2009] On the Security of Chien's Ultra-Lightweight RFID Authentication Protocol, IEEE Transactions on Dependable and Secure Computing, pp.1-3, 2009. Reader Tags 1. hello 2. IDS 3. A’ ∥ B’ ∥ C’ 4. D ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 A’ ∥ B’ ∥ C’ Attacker ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 2, K1 2, K2 2, K3 2 1st round 2st round Normal ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K3 1 3. A’’ ∥ B’’ ∥ C’’ 3st round 1. hello 2. IDS 1 3. A’ ∥ B’ ∥ C’ 4. D’ ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 2, K1 2, K2 2, K3 2 Attacker

14 14 Recently paper [2009] An Ultra Light Authentication Protocol Resistant to Passive Attacks under the Gen-2 Specification, Journal of Information Science and Engineering 25(1), pp.33-57, 2009. –Assumption: backward and forward channel can be passively listened by an attacker. –Min-in-the-middle and other active attacks are not feasible

15 15 Comments [2009] On the Security of Chien's Ultra-Lightweight RFID Authentication Protocol, IEEE Transactions on Dependable and Secure Computing, pp.1-3, 2009. –3st is not authenticated by the reader –Because the reader generate new n2, it not equal to B ’ and C ’ [2009] An Ultra Light Authentication Protocol Resistant to Passive Attacks under the Gen-2 Specification, Journal of Information Science and Engineering 25(1):33-57, 2009. –Cryptanalysis of ULAP is the same as LMAP

16 16 Thank you

Download ppt "1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.

Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.

1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 90321019 王怡君.

Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
An Authentication Scheme for Mobil Satellite Communication Systems Advisor: Prof. Jen-Chang Liu Graduate Student: Yi-Ching Chen( 陳怡靜 92321527) Date: 2004/05/26.

An Authentication Scheme for Mobil Satellite Communication Systems Advisor: Prof. Jen-Chang Liu Graduate Student: Yi-Ching Chen( 陳怡靜 ) Date: 2004/05/26.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
RFID Security and Privacy Part 2: security example.

RFID Security and Privacy Part 2: security example.
A password authentication scheme with secure password updating SEC 期末報告 學號: 89321037 姓名:翁玉芬.

A password authentication scheme with secure password updating SEC 期末報告 學號: 姓名:翁玉芬.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.
YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Similar presentations

Ads by Google